AWS S3 Bucket (9, 10, 11)

Question 1

An S3 file has a full path of s3://my-bucket/my_folder/another_folder/my_file.txt … Which part of the path is the Key

Answer 1

The Key is my_folder/another_folder/my_file.txt

Question 2

What is the max object size in S3? What is uploading max?

Answer 2

5TB; 5GB (recommended use multi-part upload after 100MB)

Question 3

S3 Versioning will overwrite the previous file, true or false?

Answer 3

False. S3 creates a new version

Question 4

Version ID for a file in a bucket is null, why?

Answer 4

We enabled versioning for the bucket after the object was added to the bucket

Question 5

How can you restore a deleted object in S3?

Answer 5

Delete the version with a Delete Marker

Question 6

What are the 4 methods of encrypting objects in S3?

Answer 6

SSE-S3, SSE-KMS, SSE-C, Client Side Encryption

Question 7

What is SSE-S3 encryption for S3?

Answer 7

Encryption using keys handled & managed by Amazon s3; object is encrypted server side

Question 8

What header must be set for SSE-S3 encryption for S3?

Answer 8

“x-amz-server-side-encryption”: “AES256”

Question 9

What is SSE-KMS encryption for S3?

Answer 9

Encryption using keys handled & managed by KMS;

object is encrypted server side

Question 10

What header must be set for SSE-KMS encryption for S3?

Answer 10

“x-amz-server-side-encryption”:”aws:kms”

Question 11

What are the SSE-KMS advantages?

Answer 11

User control and audit trail

Question 12

What is SSE-C encryption for S3?

Answer 12

Server-side encryption using data keys fully managed by the customer outside of AWS;
Amazon S3 does not store the encryption key you provide;
HTTPS must be used and the encryption key must be provided in every request

Question 13

What is client-side encryption for S3?

Answer 13

Clients must encrypt data themselves before sending to S3;

Clients must decrypt data themselves when retrieving from S3

Question 14

What two options for default encryption does S3 bucket provide for you?

Answer 14

SSE-S3 and SSE-KMS

Question 15

What is User Based S3 security?

Answer 15

IAM policies - which API calls should be allowed for a specific user from IAM console

Question 16

What is a Resource Based Policy?

Answer 16

Bucket policies - bucket wide rules from the S3 console - allows cross account;
JSON based policies

Question 17

Which encryption method for S3 Bucket requires you to use HTTPS?

Answer 17

SSE-C

Question 18

How can an IAM principal access an S3 object?

Answer 18

If the user IAM permissions allow it OR the resource policy allows it AND there is no explicit deny;
An explicit deny takes precedence over the IAM permissions allowance;
A bucket policy does not need to be created as long as there is no explicit deny

Question 19

What are 3 use cases for S3 bucket policy?

Answer 19

Grant public access;
Force objects to be encrypted at upload;
Grant access to another account (Cross Account)

Question 20

How can MFA (Multi-Factor Authentication) be used in S3 Bucket?

Answer 20

It can be required to delete objects

Question 21

What is a pre-signed URL used for in S3?

Answer 21

They are URLs that are only valid for a limited time

Question 22

You are getting a Forbidden when trying to upload a file on S3? What is a possible reason?

Answer 22

The bucket policy could be preventing it; e.g. files must be encrypted before/while uploading;
If it is a public upload, it could also be the Block Public Access settings

Question 23

Users cannot access the object S3 URL with correct key path for your static website? What could be a cause?

Answer 23

When a bucket is created, it has the Block All Public Access option configured in the Block Public Access settings. You need to configure this and then create a Bucket Policy that allows users to Read the object (the static site object). Even if Block Public Access is turned off, you still need to create a Bucket Policy.

Question 24

What is an origin in CORS?

Answer 24

An origin is a scheme (protocol), host (domain) and port;

e.g. https://www.example.com (implied port is 443 for HTTPS, 80 for HTTP)

Question 25

What is an example of when CORS would be needed?

Answer 25

Say we have a bucket that serves a website. That website then needs to call another bucket for a resource (say a picture). The other (cross origin) bucket will need to allow traffic calls from the origin website. We need to enable CORS in the cross origin bucket.

Question 26

How long is the read after write consistency time for deleting or updating objects to S3?

Answer 26

It is eventually consistent

Question 27

Your client wants to make sure the encryption is happening in S3, but wants to fully manage the encryption keys and never store them in AWS. You recommend

Answer 27

SSE-C

Question 28

Your company wants data to be encrypted in S3, and maintain control of the rotation policy for the encryption keys. You recommend

Answer 28

SSE-KMS

Question 29

Your company does not trust S3 for encryption and wants it to happen on the application. You recommend

Answer 29

Client Side Encryption

Question 30

The IAM permissions allows our users to read/write files in the bucket, yet we were not able to perform a PutObject API call. What is your assessment?

Answer 30

The IAM user has an explicit DENY in the bucket policy. Explicit DENY in an bucket policy will take precedence over the IAM permission

Question 31

If you are installing AWS CLI, you use it and get the error `aws: command not found`; what is the problem?

Answer 31

The AWS executable is not in the PATH environment variable

Question 32

What is the wrong way of configuring credentials on EC2 for CLI?

Answer 32

Running `aws configure` in the EC2 instance is very insecure. Never put personal credentials on an EC2 machine. Only belong on personal computer. We should use an IAM Role attatched to an EC2

Question 33

What is the right way of configuring credentials on EC2?

Answer 33

Attach an IAM Role to an EC2 instance; EC2 instances will reach out to the AWS Account through the CLI and the AWS will check the credentials and permissions of the ROLE.

Question 34

How many IAM roles can an EC2 instance have at a time?

Answer 34

One, this is the instance profile

Question 35

What is an inline policy in IAM?

Answer 35

It is a policy that is only attached to one identity (user, group, or role)

Question 36

How can we simulate AWS CLI commands without actually utilizing resources (and costing money)?

Answer 36

We can add option --dry-run to the command

Question 37

What are ways we tested policies and roles with IAM?

Answer 37

We can use the IAM Policy Simulator site and the AWS CLI --dry-run option

Question 38

What is the AWS CLI STS command line used for in debugging? What is the command?

Answer 38

It can decode error messages from API calls that fail; | `aws sts decode-authorization-message --encoded-message {{value}}`

Question 39

What command in the AWS CLI can we use to configure a non-default account? How would we access that accounts S3 storage?

Answer 39

`aws configure --profile {{profile-name}}` | `aws s3 ls --profile {{profile-name}}`

Question 40

What is the AWS CLI command without options to get an access key and session key for MFA?

Answer 40

`aws sts get-session-token`

Question 41

If you get a ThrottlingException intermittently for any AWS service, what should you do?

Answer 41

Use exponential backoff; exponential backoff is exponentially increasing the duration between retrying calls; Must implement yourself if using the SDK API

Question 42

If we are getting consistent API Rate Limit errors what should we do?

Answer 42

Request an API throttling limit increase

Question 43

What is the order of the AWS CLI Credentials Provider Chain?

Answer 43

``` Command line options; Environment variables; CLI credentials file; CLI configuration file; Container credentials; Instance profile credentials ```

Question 44

What is the order of the SDK Credentials Chain?

Answer 44

``` Environment variables; System properties (only for Java?); Default credential profiles file; Amazon ECS container credentials; Instance profile credentials; ```

Question 45

An application deployed to EC2 instance is using env variables with credentials from an IAM user to call the Amazon S3 API. The IAM user has S3FullAccess permissions. An IAM Role and EC2 Instance Profile was created for the EC2 instance with access to only one S3 Bucket. The role had minimum permissions, yet the EC2 still had access to all S3 buckets. Why?

Answer 45

Environment variables have priority in the credentials chain. The application with SDK uses the env variables.

Question 46

What is Signature v4?

Answer 46

We must use this when sending requests to AWS through HTTP. If you use the CDK and CLI, these are signed from you; Either as an HTTP header or in the URI as a query string

Question 47

I have an on-premise personal server that I'd like to use to perform AWS API calls?

Answer 47

I should run `aws configure` and put my credentials there. Invalidate them when I am done. You cannot attach IAM Role to a personal server.

Question 48

My EC2 Instance does not have the permissions to perform an API call to PutObject on S3. What should I do?

Answer 48

Attach a policy to the IAM Role on my EC2 Instance that authorizes it to do the API call

Question 49

I need my colleagues help to debug my code. When he runs the application on his machine, it's working fine, whereas I get API authorization exceptions. What should I do?

Answer 49

Compare IAM policies. Do not share credentials and do not put personal credentials on the EC2 server.

Question 50

To get the instance id of my EC2 machine from the EC2 machine, the best thing is to...

Answer 50

Query the meta data at http://{{ip-address}}/latest/meta-data

Question 51

I'd like to deploy an application to an on-premise server. The server needs to perform API calls to Amazon S3. Amongst the following options, the best security I can achieve is...

Answer 51

Create an IAM user for the application and put the credentials into environment variables. here, it's about creating a dedicated user for that application, as using your own personal credentials would blur the lines between actual users and applications.

Question 52

When I run the CLI on my EC2 Instances, the CLI uses the ______ service to get _____ credentials thanks to the IAM Role that's attached.

Answer 52

meta data | temporary; | remember! user data is for ec2 instances starting

Question 53

I want to test whether my EC2 machine is able to perform the termination of EC2 instances. There is an IAM role attached to my EC2 Instance. I should

Answer 53

Use the IAM Policy Simulator OR the dry run CLI option

Question 54

Can EC2 Instances retrieve the IAM Role policy JSON document that's attached to them using the CLI without any role attached?

Answer 54

No. You can retrieve the role name attached to your EC2 instance using the metadata service but not the policy itself

Question 55

I have received an authorization exception from my EC2 instance while performing an EC2 API call. I want to decode the cryptic message. How do I do it?

Answer 55

Use the STS decode-authorization-message API

Question 56

Which API call should be used to get credentials before issuing API calls against an MFA-protected API?

Answer 56

STS GetSessionToken

Question 57

A admin can enable MFA-Delete in a bucket, true or false.

Answer 57

False. Must be root account.

Question 58

How can we ensure encryption in S3 without a bucket policy?

Answer 58

Enable default encryption on the bucket

Question 59

It is good practice to set your app bucket as your logging bucket as well, true or false?

Answer 59

False. We will have to log the logs themselves and it will grow exponentially.

Question 60

What is CRR in S3 and what are it's use cases?

Answer 60

Cross Region Replication; Compliance for storing data in several safe locations; Lower latency access for accounts or users in another region; Replication across accounts

Question 61

What is SRR in S3 and what are it's use cases?

Answer 61

Same Region Replication; | Log aggregation, live replication between production and test accounts

Question 62

For S3 replication, we added an object to Bucket 1, which was replicated in Bucket 2, but Bucket 3 did not replicate Bucket 2's object. Why not?

Answer 62

There is no chaining for bucket replication.

Question 63

We want to upload an object in S3 to a pre-signed URL using the CLI but are getting errors. What could be the cause?

Answer 63

We must use the SDK. The CLI does not allow for uploading objects to pre-signed URL

Question 64

We want to generate a pre-signed URL from S3 in colinsbucket2020 for file picture.jpg for 5 minutes. What is the command from the CLI we would use?

Answer 64

aws s3 presign s3://colinsbucket2020/picture.jpg --expires-in 300 --region {{region}}; Region is needed or else can cause problems

Question 65

What are the S3 storage classes?

Answer 65

``` Standard - General Purpose; Standard - Infrequent Access (IA); One Zone - Infrequent Access; Intelligent Tiering; Glacier; Glacier Deep Archive; ```

Question 66

What is the difference between Standard IA and One Zone - IA for S3 bucket tier?

Answer 66

One Zone is in one AZ. So if that AZ was to go down, then the data would be lost.

Question 67

What two access tiers does S3 Intelligent Tiering move between?

Answer 67

S3 Standard and Standard IA

Question 68

What are the 3 retrieval options for Amazon Glacier?

Answer 68

Expedited (1 to 5 minutes); Standard (3 to 5 hours); Bulk (5 to 12 hours);

Question 69

What are the Amazon Glacier Deep Archive retrieval options?

Answer 69

Standard (12 hours) | Bulk (48 hours)

Question 70

What is the minimum storage duration for Glacier vs Glacier Deep?

Answer 70

Minimum storage for Glacier is 90 days. Minimum for Glacier Deep is 180 days

Question 71

What are transition actions in S3 Lifecycle rules?

Answer 71

It defines when objects are transitioned to another storage class

Question 72

What are expiration actions in S3 Lifecycle rules?

Answer 72

Configure objects to expire (delete) after some time; | Can be used to delete old versions or files if versioning is enabled

Question 73

Your application on EC2 creates images thumbnails after profile photos are uploaded to Amazon S3. These thumbnails can be easily recreated, and only need to be kept for 45 days. The source images should be able to be immediately retrieved for these 45 days, and afterwards, the user can wait up to 6 hours. How would you design this?

Answer 73

S3 source images can be on STANDARD, with a life-cycle configuration to transition them to GLACIER after 45 days. S3 thumbnails can be on ONEZONE_IA with a life-cycle configuration to expire them (delete them) after 45 days.

Question 74

A rule in your company states that you should be able to recover your deleted S3 objects immediately for 15 days, although this may happen rarely. After this time, and for up to 365 days, deleted objects should be recoverable within 48 hours.

Answer 74

You need to enable S3 versioning in order to have object versions, so that "deleted objects" are in fact hidden by a "delete marker" and can be recovered; You can transition these "non-current versions" of object to S3_IA; You can transition afterwards these "non-current versions" to DEEP_ARCHIVE;

Question 75

Which encryption option can impact performance with S3 retrieval?

Answer 75

S3 KMS. When an upload happens, the GenerateDataKey KMS API is called, and when downloaded, the Decrypt KMS API is called. This may hit KMS limits.

Question 76

What is S3 Transfer Acceleration?

Answer 76

Increase transfer speed by transferring file to an AWS edge location which will forward the data to the S3 bucket in the target region. It is for upload only.

Question 77

What is S3 Byte-Range Fetching?

Answer 77

Parallelize GET's by requesting specific byte ranges.

Question 78

What does S3 select allow us to do?

Answer 78

It allows us to grab a subset of data from an object by using simple SQL expressions.

Question 79

You want to ensure that an event notification is sent for every successful write. How would we do that?

Answer 79

Enable versioning for your bucket. With versioning, every new version created sends out an event notification

Question 80

What is AWS Athena?

Answer 80

It is a serverless service to perform analytics directly against S3 files

Question 81

Before you run an AWS Athena query, you must do what?

Answer 81

Add a query result location

Question 82

What is S3 object lock and Glacier Vault Lock?

Answer 82

S3 object lock is block an object version being changed for a specified amount of time.

Question 83

You have enabled versioning and want to be extra careful when it comes to deleting files on S3. What should you enable to prevent accidental permanent deletions?

Answer 83

Enable MFA Delete

Question 84

You suspect some of your employees to try to access files in S3 that they don't have access to. How can you verify this is indeed the case without them noticing?

Answer 84

Enable S3 Access Logs and analyze them using Athena

Question 85

You are looking for your entire S3 bucket to be available fully in a different region so you can perform data analysis optimally at the lowest possible cost. Which feature should you use?

Answer 85

S3 Cross-Region Replication

Question 86

You would like to retrieve a subset of your dataset stored in S3 with the CSV format. You would like to retrieve a month of data and only 3 columns out of the 10. You need to minimize compute and network costs for this, what should you use?

Answer 86

S3 Select

Question 87

When uploading a file that is 1 GB to S3, which type of upload will give you the best throughput performance and resilience?

Answer 87

Do a multi-part upload. It is recommended to do this of files greater than 100 MB.

Question 88

Creating a bucket policy in S3 will override the S3 Block Public Access feature, true or false?

Answer 88

False. Even if the policy is set for public reads, BPA will overrules these policies.